[Question] Is there any reverse shell that can pass through Network?

[rootman]

if the target PC is in a LAN, maybe topologylooks like this

(Target)

|PC|------|

|--------------|ROUTER|----------|ROUTER|-------Internet-----------|Control PC|

|PC|------|

any reverse shell scripts can penetrate it?

[ApacheTech Consultancy]

If you know of any ports which are open, then yes. Run a port sniffer script on it first which emails the nmap result to you and then set the corresponding port. If the network is configured properly then its SAPs should be stealthed, but sometimes you can get lucky. SAPs between the 5000 - 5100 range can be vulnerable as they are often left open for Passive FTP.

Like any network, all you need is a clear SAP path from node to node, it just requires a bit more digging to find it.

EDIT: Either that, or if you have access to the network's router, you can add your own NAT signitures, or even designate the vic's device as the network's DMZ.

RE-EDIT: The easiest way to do it is set up a remote SSH site which listens on port 80 and forwards it on to you at which ever port you want. You can then send the Reverse Shell to the SSH server using the default HTTP port. The main difficulty with this though, is that it can cause a lot of noticable traffic on the victim's network. If it's a strong network, the packets will be monitored and although they won't be able to be intercepted or read at all, the endpoint will be known. Running processes through SAP80 can set alarm bells off on the network and is not highly recomended, but it is a quick and dirty way of doing it.

Edited February 17, 2013 by ApacheTech

[no42]

All depends on the router (& firewall policies).

Questions:

1. how is the payload getting introduced?
2. do you have prior knowledge on security policies (eg firewalls, proxies)?

A reverse shells purpose, is for leaving the network and hitting a publicly accessible IP, depending on the number of obstacles in the way.

[CaptainHooligan]

Any easy thought is can these PC's access the internet behind the routers and firewall? If so just run a secure reverse shell over 443. Some IDS will look at the tcp stream and see the amount of traffic as anomalous but most will see encrypted traffic and ignore it.

[Shark3y]

You only need to patch a port on the reverse side's router as the victim is connecting OUT of their network. This is considered 'normal' behavior more or less. Obviously IDS, certain advanced firewalls and the sort could be problematic but I get the feeling that this is a simple situation. You can have a reverse shell connect through a standard protocol (HTTP), making it less obvious that anything nefarious is happening. More details would be helpful.

[sierrabrav0]

Any easy thought is can these PC's access the internet behind the routers and firewall? If so just run a secure reverse shell over 443. Some IDS will look at the tcp stream and see the amount of traffic as anomalous but most will see encrypted traffic and ignore it.

I agree, you could also use the DNS port 53 if I'm not mistaken.

The disadvantage with the port 53 is it will likely trigger the IDS but I guess it could work on home network.

Edited April 5, 2013 by sierrabrav0

[sierrabrav0]

http://www.sans.org/reading_room/whitepapers/covert/inside-out-vulnerabilities-reverse-shells_1663

[skysploit]

I haven't had any problems with ~Persistence, though it all depends on the network. below is a link to the persistence payload. You can also use the simple-ducky which will generate the payload, setup your webserver, move nc.exe to your web directory and launch a listener for you. All you would have to do is register a no-ip.org page and forward ports 80 and 443 to your attacking machine. And i would assume this would only be used on a legitimate pentest?!?!

Best of luck

http://forums.hak5.org/index.php?/topic/29142-payload-persistence-windows-7-wuac/

Edited April 5, 2013 by skysploit